Debating Tough Topics

When we are confused on the right answer to a tough ICS security or OT question and see a lot of uncertainty and disagreement in the community, we think this would make an excellent S4 debate or panel discussion. There are a number of these on the S4x19 agenda, Jan 15-17 in Miami South Beach.

  • ICS Modifications to the CVSS with Clint Bodungen, Art Manion and Billy Rios

The Common Vulnerability Scoring System (CVSS) is frequently disparaged as a measure of the “severity” of an ICS vulnerability even though it is currently the one and only metric. The question is how can we modify it to be a more accurate metric for use in ICS. Our three panelists will have 5 minutes to explain the what and why of their modifications. And they will each score three 2018 ICS vulnerabilities. We will make the vulnerabilities known in advance so others can contribute their mods and scores.

  • Is The Purdue Model Dead? with Brad Hegrat and Joel Langill

The Purdue Model has had a long run as THE ICS ARCHITECTURE. Although there have been tweaks, such as DMZ’s represented as Level 2.5 and 3.5, it has been mostly unchanged for almost three decades. With the advent of IIoT / Industrie 4.0, cloud services, AI, sensors everywhere and other technical innovations, is it time to kill off the Purdue Model? And if so, is there A MODEL that can replace it? Or are we looking at a set of principles rather than a model? And if so what are those principles? (Dale Peterson as moderator will surely feel compelled to chime in as well with his analysis)

  •  Debate: Are Specialized OT Tools and Talent Required to Detect Attacks on ICS? Ben Miller v. Steve Miller

We covered this in an earlier article. This will be performed in a classic debate format.

  • Creating a Simple ICS Taxonomy with panelists pending

This was spawned by the increasing number of statistics that appear crazy being published in reports and quotes from industry experts. For example ~40% of ICS being directly connected to the Internet and receiving email sounds impossible to people many sectors, but may be an accurate number if you include the large number of building automation systems, SMB asset owners and low value ICS. Discussing ICS as one large community, and then adding in  IoT that interacts with ICS, is making discussion, analysis and action difficult. In this session, we will attempt to create a simple taxonomy, not something that would require a 50-page document with complex drawings, to make understanding and discussion more fruitful.